There is a concerning lack of cyber confidence and organizational maturity across all levels of government, according to a survey released today by SolarWinds. The report, which surveyed IT operations and security decisionmakers from Federal, state, and local governments, found that the biggest IT pain points for the public sector are IT complexity, insider threats, and controlling user network access.
“Complexity is a big theme in this year’s survey,” said Brandon Shopp, vice president for product strategy at SolarWinds. “Led only by budget constraints, complexity of internal environments is one of the most significant high-level obstacles to maintaining or improving IT security, and respondents indicated it’s keeping them from easily segmenting users and adopting a zero-trust approach. Our data shows this complexity is getting worse, especially in Federal environments.”
Roughly half of respondents (52 percent) cited “careless and untrained insiders” as the top threat. SolarWinds noted that this figure was consistent across both Federal and state and local respondents.
Tying into Shopp’s remarks, the survey identified both budget constraints as a “significant [obstacle] to maintaining or improving organizational IT security.” Roughly a quarter of both Federal (24 percent) and state and local (27 percent) respondents citing budget constraints as an obstacle to improving cybersecurity.
A survey respondent who described themselves as a state government senior IT project manager and analyst said, “Our organization operates in denial with a preference for reactionary behavior instead of operating proactively. Government agencies tend to view IT spending as throwing money into a black hole until something occurs.”
When comparing this year’s survey to its 2014 report, SolarWinds did note some positive changes. In 2014, 40 percent of Federal respondents cited budget constraints, compared to 24 percent in 2020. However, while budget constraints are on the decline, concerns over IT complexity have increased. In the report released today, 21 percent of Federal respondents cited the complexity of the internal environment as a key obstacle – a marked increase from 14 percent in 2014.
In terms of cybersecurity maturity, on average, respondents rated their agency’s maturity at a 3.5 on a scale of one to five. In terms of where the public sector is most mature, respondents said endpoint protection (57 percent), continuity of operations (57 percent), and identity and access management (56 percent). However, SolarWinds did note that “there was not a single cybersecurity capability for which more than 57 percent of respondents claimed to be organizationally mature.”
The majority of public sector organizations rely on metrics to measure the success of their IT security teams. In terms of which metrics they’re evaluating, 58 percent look to the number of detected incidents and 53 percent using their team’s ability to meet compliance goals. The need to meet compliance mandates or regulations has had a significant impact on the public sector, with 75 percent saying that it has had a “significant or moderate impact on the evolution of their organizations’ IT security policies and practices.”